upstream/mercurial-mirror Commit - r28045:f68ded00

1

#!/usr/bin/env python

1

#!/usr/bin/env python

2

#

2

#

3

4

#

4

#

5

# Author(s):

5

# Author(s):

6

# Thomas Arendsen Hein <thomas@intevation.de>

6

# Thomas Arendsen Hein <thomas@intevation.de>

7

#

7

#

8

# This software may be used and distributed according to the terms of the

8

# This software may be used and distributed according to the terms of the

9

# GNU General Public License version 2 or any later version.

9

# GNU General Public License version 2 or any later version.

10

11

"""

11

"""

12

hg-ssh - a wrapper for ssh access to a limited set of mercurial repos

12

hg-ssh - a wrapper for ssh access to a limited set of mercurial repos

13

14

To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):

14

To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):

15

command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...

15

command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...

16

(probably together with these other useful options:

16

(probably together with these other useful options:

17

no-port-forwarding,no-X11-forwarding,no-agent-forwarding)

17

no-port-forwarding,no-X11-forwarding,no-agent-forwarding)

18

19

This allows pull/push over ssh from/to the repositories given as arguments.

19

This allows pull/push over ssh from/to the repositories given as arguments.

20

21

If all your repositories are subdirectories of a common directory, you can

21

If all your repositories are subdirectories of a common directory, you can

22

allow shorter paths with:

22

allow shorter paths with:

23

command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"

23

command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"

24

25

You can use pattern matching of your normal shell, e.g.:

25

You can use pattern matching of your normal shell, e.g.:

26

command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"

26

command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"

27

28

You can also add a --read-only flag to allow read-only access to a key, e.g.:

28

You can also add a --read-only flag to allow read-only access to a key, e.g.:

29

command="hg-ssh --read-only repos/*"

29

command="hg-ssh --read-only repos/*"

30

"""

30

"""

31

32

# enable importing on demand to reduce startup time

32

# enable importing on demand to reduce startup time

33

from mercurial import demandimport; demandimport.enable()

33

from mercurial import demandimport; demandimport.enable()

34

35

from mercurial import dispatch

35

from mercurial import dispatch

36

37

import sys, os, shlex

37

import sys, os, shlex

38

39

def main():

39

def main():

40

cwd = os.getcwd()

40

cwd = os.getcwd()

41

readonly = False

41

readonly = False

42

args = sys.argv[1:]

42

args = sys.argv[1:]

43

while len(args):

43

while len(args):

44

if args[0] == '--read-only':

44

if args[0] == '--read-only':

45

readonly = True

45

readonly = True

46

args.pop(0)

46

args.pop(0)

47

else:

47

else:

48

break

48

break

49

allowed_paths = [os.path.normpath(os.path.join(cwd,

49

allowed_paths = [os.path.normpath(os.path.join(cwd,

50

os.path.expanduser(path)))

50

os.path.expanduser(path)))

51

for path in args]

51

for path in args]

52

orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')

52

orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')

53

try:

53

try:

54

cmdargv = shlex.split(orig_cmd)

54

cmdargv = shlex.split(orig_cmd)

55

except ValueError, e:

55

except ValueError, e:

56

sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))

56

sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))

57

sys.exit(255)

57

sys.exit(255)

58

59

if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:

59

if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:

60

path = cmdargv[2]

60

path = cmdargv[2]

61

repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))

61

repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))

62

if repo in allowed_paths:

62

if repo in allowed_paths:

63

cmd = ['-R', repo, 'serve', '--stdio']

63

cmd = ['-R', repo, 'serve', '--stdio']

64

if readonly:

64

if readonly:

65

cmd += [

65

cmd += [

66

'--config',

66

'--config',

67

'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',

67

'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',

68

'--config',

68

'--config',

69

'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'

69

'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'

70

]

70

]

71

dispatch.dispatch(dispatch.request(cmd))

71

dispatch.dispatch(dispatch.request(cmd))

72

else:

72

else:

73

sys.stderr.write('Illegal repository "%s"\n' % repo)

73

sys.stderr.write('Illegal repository "%s"\n' % repo)

74

sys.exit(255)

74

sys.exit(255)

75

else:

75

else:

76

sys.stderr.write('Illegal command "%s"\n' % orig_cmd)

76

sys.stderr.write('Illegal command "%s"\n' % orig_cmd)

77

sys.exit(255)

77

sys.exit(255)

78

79

def rejectpush(ui, **kwargs):

79

def rejectpush(ui, **kwargs):

80

ui.warn("Permission denied\n")

80

ui.warn(("Permission denied\n"))

81

# mercurial hooks use unix process conventions for hook return values

81

# mercurial hooks use unix process conventions for hook return values

82

# so a truthy return means failure

82

# so a truthy return means failure

83

return True

83

return True

84

85

if __name__ == '__main__':

85

if __name__ == '__main__':

86

main()

86

main()

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             #!/usr/bin/env python
             #
             # Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
             #
             # Author(s):
             # Thomas Arendsen Hein <thomas@intevation.de>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             """
             hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
             To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):
             command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
             (probably together with these other useful options:
              no-port-forwarding,no-X11-forwarding,no-agent-forwarding)
             This allows pull/push over ssh from/to the repositories given as arguments.
             If all your repositories are subdirectories of a common directory, you can
             allow shorter paths with:
             command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"
             You can use pattern matching of your normal shell, e.g.:
             command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"
             You can also add a --read-only flag to allow read-only access to a key, e.g.:
             command="hg-ssh --read-only repos/*"
             """
             # enable importing on demand to reduce startup time
             from mercurial import demandimport; demandimport.enable()
             from mercurial import dispatch
             import sys, os, shlex
             def main():
                 cwd = os.getcwd()
                 readonly = False
                 args = sys.argv[1:]
                 while len(args):
                     if args[0] == '--read-only':
                         readonly = True
                         args.pop(0)
                     else:
                         break
                 allowed_paths = [os.path.normpath(os.path.join(cwd,
                                                                os.path.expanduser(path)))
                                  for path in args]
                 orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')
                 try:
                     cmdargv = shlex.split(orig_cmd)
                 except ValueError, e:
                     sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))
                     sys.exit(255)
                 if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:
                     path = cmdargv[2]
                     repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
                     if repo in allowed_paths:
                         cmd = ['-R', repo, 'serve', '--stdio']
                         if readonly:
                             cmd += [
                                 '--config',
                                 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush',
                                 '--config',
                                 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
                                 ]
                         dispatch.dispatch(dispatch.request(cmd))
                     else:
                         sys.stderr.write('Illegal repository "%s"\n' % repo)
                         sys.exit(255)
                 else:
                     sys.stderr.write('Illegal command "%s"\n' % orig_cmd)
                     sys.exit(255)
             def rejectpush(ui, **kwargs):
-                ui.warn("Permission denied\n")
+                ui.warn(("Permission denied\n"))
                 # mercurial hooks use unix process conventions for hook return values
                 # so a truthy return means failure
                 return True
             if __name__ == '__main__':
                 main()